PlainsCapital Settlement Stirs DebateObservers Still Expect Legislation to Address Fraud, Security
Question #1 is about reputation, says David Navetta, a lawyer at InfoLaw Group, a law firm specializing in information security law.
"Banks live and die on their customer's trust," he says. The risk of facing a jury trial may have led PlainsCapital to settle with Hillary. But the case is only one of many instances where businesses have lost money through these fraudulent ACH transactions, resulting also in lost confidence in the banks. "Institutions need to look at their contracts with business customers and make sure they are as tight as possible."
Security as a Competitive Edge?
Navetta sees an opportunity for banking institutions to market themselves if they feel they have strong security. But the problem with this idea, says Charisse Castagnoli, an independent banking consultant and information security law expert in Austin, TX, is most banks don't come close to having the "strong two-factor authentication" that is called for in the FFIEC guidance.
"I am very disappointed by the banks' response to the FFIEC guidelines," she says. "I don't believe that the majority of the banks have employed true, two-factor authentication."
Strong authentication for online banking customers isn't just a community bank issue, she says. "There are big banks being hit with this as well," Castagnoli points out. Part of the problem is a lack of awareness and education, but it's also a challenging environment in the online banking space. "Everyone wants instantaneous access, but the real worry is what they are trading off when they get that immediate access is a lack of security."
Financial institutions across the country may soon face another security gauntlet -- this time from their business banking customers in the form of a grassroots movement that is being organized by some of the businesses that have already suffered fraud losses.
Leading the businesses is Jim Woodhill, CEO and founder of Authentify, who says "It is hard to imagine a message more likely to spread virally than 'your organization's money is not safe in its bank.'"
Woodhill is aware of a victim initiative readying a website launch that will have a letter template that businesses will take to their institutions. The letter will ask whether the institution will stand behind its fraud controls in the event the business' online banking account is compromised. Woodhill says word on this crime will eventually start spreading on its own, but to help it along the website will give victims and potential victims information on the crime.
Lobbying lawmakers for legislation to answer this problem is ongoing in Washington, says Woodhill, who sees his efforts taking shape. The settlement of the PlainsCapital v Hillary Machinery suit has no impact on these efforts. "There are other businesses still getting hit with this crime, and it is not going away," he says.
Woodhill notes that every small business owner that looks at the Hillary case has to ask: "Do I really want to do banking at a bank that doesn't protect my money?"
Legislation may be coming, but InfoLaw Group's Navetta warns that the industry must approach this carefully. "We have to be careful in how it comes about, because often it is a knee-jerk reaction to an issue and will make matters even more complicated," he says.
Castagnoli predicts there will be legislation coming from Congress regarding strong authentication and account takeover. "It may come from Congress, or if it doesn't come from them, the new consumer protection agency may have it as one of its first actions," she notes. "I would hope that the industry is able to get some voice in it. You can legislate a solution to this one type of problem, but the world we live in with the immediate, always on, always available banking we offer, these threats are not going to go away."